-
-
Notifications
You must be signed in to change notification settings - Fork 37
53 lines (49 loc) · 2.22 KB
/
resyntax-analyze.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
name: Resyntax Analysis
# The Resyntax integration is split into two phases: a workflow that analyzes the code and uploads
# the analysis as an artifact, and a workflow that downloads the analysis artifact and creates a
# review of the pull request. This split is for permissions reasons; the analysis workflow checks out
# the pull request branch and compiles it, executing arbitrary code as it does so. For that reason,
# the first workflow has read-only permissions in the github repository. The second workflow only
# downloads the pull request review artifact and submits it, and it executes with read-write permissions
# without executing any code in the repository. This division of responsibilities allows Resyntax to
# safely analyze pull requests from forks. This strategy is outlined in the following article:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
on:
pull_request:
types:
- opened
- reopened
- synchronize
- ready_for_review
jobs:
analyze:
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Checkout code
uses: actions/[email protected]
# See https://github.com/actions/checkout/issues/118.
with:
fetch-depth: 0
- name: Install Racket
uses: Bogdanp/[email protected]
with:
version: current
distribution: minimal
local_catalogs: $GITHUB_WORKSPACE
dest: '"${HOME}/racketdist-minimal-CS"'
sudo: never
- name: Register local packages
run: raco pkg install --auto --no-setup plot plot-compat plot-doc plot-gui-lib plot-lib plot-test
- name: Install local packages
run: raco setup --pkgs plot plot-compat plot-doc plot-gui-lib plot-lib plot-test
- name: Install Resyntax
run: raco pkg install --auto resyntax
- name: Analyze changed files
run: xvfb-run racket -l- resyntax/cli analyze --local-git-repository . "origin/${GITHUB_BASE_REF}" --output-as-github-review --output-to-file ./resyntax-review.json
- name: Upload analysis artifact
uses: actions/[email protected]
with:
name: resyntax-review
path: resyntax-review.json